#!/bin/sh
# Set router defaults runing first boot

# Ensure this script is only run once
if CONFIGED=$(uci get system.@system[0].cghmn_is_configured 2>/dev/null) && [ "$CONFIGED" = "1" ]; then
	exit 0
fi

# Get last four letters of eth0 MAC
FULL_MAC=$(ip link show eth0 | awk '/link\/ether/ { gsub(":",""); print substr($2,0,4) ":" substr($2,5,4) ":" substr($2,9,4) }')
MAC_LASTFOUR=$(echo "${FULL_MAC}" | awk -F':' '{ print $3 }')
NEW_HOSTNAME="CGHMN-Node-$MAC_LASTFOUR"

# Turn last four letters of MAC into IPv4 address suffix
LOCAL_IP4_FROM_MAC=$(printf "%d.%d" $(echo "${MAC_LASTFOUR}" | awk '{ print "0x" substr($0,0,2) " 0x" substr($0,3,2)  }'))

# Static variables used to configure the Wireguard tunnel
WG_PEER_ADDRESS="insert.target.server.domain"
WG_PEER_PUBKEY="VAVFX88DKGoO2naiWml1jepF7MVrIjDAbMhhYq5S1nQ="

# Wireguard IPv4 variables
WG_TUNNEL_INNER_SUBNET4="10.234."
WG_TUNNEL_INNER_SUBNET4_SIZE="16"
WG_TUNNEL_INNER_LOCAL_IP4="${WG_TUNNEL_INNER_SUBNET4}${LOCAL_IP4_FROM_MAC}"
WG_TUNNEL_INNER_PEER_IP4="${WG_TUNNEL_INNER_SUBNET4}.0.1"
WG_TUNNEL_REMOTE_SUBNET4="10.201.0.0/23"

# Wireguard IPv6 variables
WG_TUNNEL_INNER_SUBNET6="fd38:f85d:a2fd::"
WG_TUNNEL_INNER_SUBNET6_SIZE="64"
WG_TUNNEL_INNER_LOCAL_IP6="${WG_TUNNEL_INNER_SUBNET6}${FULL_MAC}"
WG_TUNNEL_INNER_PEER_IP6="${WG_TUNNEL_INNER_SUBNET6}ffff:ffff:ffff:ffff"
WG_TUNNEL_REMOTE_SUBNET6="2001:470:5168:201::/64"

# Generate new Wireguard private key for this node
WG_PRIVKEY="$(wg genkey)"

# Static variables used to configure the VXLAN interface
VXLAN_LOCAL_IP="${WG_TUNNEL_INNER_LOCAL_IP6}"
VXLAN_PEER_IP="${WG_TUNNEL_INNER_PEER_IP6}"
VXLAN_ID="101"

# Before adding new config, clear old firewall zones and rules
while uci -q delete firewall.@rule[0]; do :; done
while uci -q delete firewall.@zone[0]; do :; done
while uci -q delete firewall.@forwarding[0]; do :; done

# Batch-add most UCI configuration next
uci -q batch <<EOUCI
set system.@system[0].hostname='${NEW_HOSTNAME}'

# -- Create firewall zones -- #

# WAN zone (allow input for management from regular home network)
add firewall zone
set firewall.@zone[-1].name='wan'
set firewall.@zone[-1].input='ACCEPT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='wan'

# Retro LAN zone (default deny any traffic and add firewall rule for forwardings)
add firewall zone
set firewall.@zone[-1].name='retro_lan'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='REJECT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='cghmn_vxlan'
add_list firewall.@zone[-1].network='retro_lan'

# Outer transport tunnel zone outside of Retro LAN
add firewall zone
set firewall.@zone[-1].name='tunnel'
set firewall.@zone[-1].input='REJECT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
add_list firewall.@zone[-1].network='cghmn_wg'
add_list firewall.@zone[-1].network='cghmn_vxlan'

# PPP client zone
add firewall zone
set firewall.@zone[-1].name='ppp_client'
set firewall.@zone[-1].input='ACCEPT'
set firewall.@zone[-1].output='ACCEPT'
set firewall.@zone[-1].forward='REJECT'
set firewall.@zone[-1].masq='1'
add_list firewall.@zone[-1].network='ppp_daemon'

# -- Create network forwarding -- #

# Allow forwarding from local PPP clients to the Retro LAN and WAN
add firewall forwarding
set firewall.@forwarding[-1].src='ppp_client'
add_list firewall.@forwarding[-1].dest='retro_lan'
add_list firewall.@forwarding[-1].dest='wan'

# -- Create firewall rules -- #

# Allow VXLAN packages on transport network
add firewall rule
set firewall.@rule[-1].name='Allow incoming VXLAN packets'
set firewall.@rule[-1].proto='udp'
set firewall.@rule[-1].src='tunnel'
set firewall.@rule[-1].target='ACCEPT'
set firewall.@rule[-1].family='ipv6'
set firewall.@rule[-1].dest_port='4789'
set firewall.@rule[-1].src_ip='${WG_TUNNEL_INNER_PEER_IP6}'

# -- Create interfaces -- #

# Delete predefined interfaces
delete network.wan
delete network.wan6
delete network.lan

# Create WAN interface on default WAN network port
set network.wan=interface
set network.wan.proto='dhcp'
set network.wan.device='eth0.2'

# Create Wireguard tunnel interface
set network.cghmn_wg=interface
set network.cghmn_wg.proto='wireguard'
set network.cghmn_wg.private_key='${WG_PRIVKEY}'
set network.cghmn_wg.mtu='1634'
add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'
add_list network.cghmn_wg.addresses='${WG_TUNNEL_INNER_LOCAL_IP4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'

# Create VXLAN interface on Wireguard tunnel
set network.cghmn_vxlan=interface
set network.cghmn_vxlan.proto='vxlan6'
set network.cghmn_vxlan.srcportmin='4789'
set network.cghmn_vxlan.mtu='1500'
set network.cghmn_vxlan.learning='0'
set network.cghmn_vxlan.ip6addr='${VXLAN_LOCAL_IP}'
set network.cghmn_vxlan.peer6addr='${VXLAN_PEER_IP}'
set network.cghmn_vxlan.vid='${VXLAN_ID}'

# Create unmanaged Retro LAN bridge interface
set network.retro_lan=interface
set network.retro_lan.proto='none'
set network.retro_lan.device='br-retrolan'

# Create PPP interface for local vmodem dialin
set network.ppp_daemon=interface
set network.ppp_daemon.proto='none'
set network.ppp_daemon.device='ppp0'

# -- Configure actual network interfaces -- #

# Create and configure Retro LAN Linux bridge spanning the VXLAN and default LAN network port
add network device
set network.@device[-1].type='bridge'
set network.@device[-1].name='br-retrolan'
add_list network.@device[-1].ports='cghmn_vxlan'
add_list network.@device[-1].ports='eth0.1'

# -- Add Wireguard remote peer -- #

# Remote CGHMN Wireguard peer
add network wireguard_cghmn_wg
set network.@wireguard_cghmn_wg[-1].description='CGHMN Server'
set network.@wireguard_cghmn_wg[-1].persistent_keepalive='15'
set network.@wireguard_cghmn_wg[-1].route_allowed_ips='1'
set network.@wireguard_cghmn_wg[-1].public_key='${WG_PEER_PUBKEY}'
set network.@wireguard_cghmn_wg[-1].endpoint_host='${WG_PEER_ADDRESS}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET6}/${WG_TUNNEL_INNER_SUBNET6_SIZE}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_INNER_SUBNET4}/${WG_TUNNEL_INNER_SUBNET4_SIZE}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET6}'
add_list network.@wireguard_cghmn_wg[-1].allowed_ips='${WG_TUNNEL_REMOTE_SUBNET4}'

# -- Set some WiFi defaults -- #
delete wireless.default_radio0
set wireless.radio0.band='2g'
set wireless.radio0.channel='1'
set wireless.radio0.legacy_rates='1'
set wireless.wifinet0=wifi-iface
set wireless.wifinet0.device='radio0'
set wireless.wifinet0.mode='ap'
set wireless.wifinet0.ssid='retronet'
set wireless.wifinet0.encryption='psk-mixed'
set wireless.wifinet0.key='${FULL_MAC}'
set wireless.wifinet0.network='retro_lan'
set wireless.wifinet0.disabled='1'

# -- DNSmasq config -- #
set dhcp.@dnsmasq[0].localservice='0'

set system.@system[0].cghmn_is_configured=1
EOUCI

# Enable the vmodem init script
service vmodem-cghmn enable || true